What Is Malware?

Malware is code that is designed to maliciously disrupt the normal operation of — or cause harm to — a network or user’s computer, phone, tablet, or other device. There is a wide range of different malware categories, including but not limited to worms, trojans, spyware, and keyloggers. These terms are often used interchangeably, and a growing number of malware variants now incorporate a blend of different techniques.

The vast majority of today’s malware is focused on making money for the malware authors.1 This is typically done by stealing confidential data such as usernames, passwords, credit card details, or other financial particulars. This sensitive information is then used to launch further attacks on individuals and businesses or is sold to other malicious actors. Ransomware and cryptojacking are increasingly being used to monetize malware. The former is a type of malware that locks a device and requires payment to regain access to files, and the latter installs malware that steals a device’s processing power to mine for cryptocurrencies such as Bitcoin, Monero, or Ethereum.

It is estimated that 350,000 new variants of malware are discovered every day.

Malware is designed to bypass security systems and avoid detection, making it extremely difficult for security teams to ensure that users and the wider business are not adversely impacted. Malware authors implement a variety of methods to achieve this circumvention, including using obscure filenames, modifying file attributes, mimicking legitimate program operations, and hiding processes and network connections. These obfuscation and evasion techniques are helped along by the sheer volume of emerging malware; it is estimated that 350,000 new variants are discovered every day.2

How is Malware Distributed?

There are a number of different ways that malware is distributed, resulting in infected devices. These include:

  • A malicious file attached to a phishing email – The email will likely use social engineering techniques to encourage the recipient to open the attachment. Once opened, the malware code is delivered.
  • A malicious URL link in the body of an email – The email will likely use social engineering techniques to encourage the recipient to click on the link. Once clicked, the URL navigates to a web page that is a malware drop site.
  • A drive-by download – Malware code will be delivered when the user either lands on a malware drop site directly or is redirected to such a page via a malicious advert (malvertising).
  • An infected USB device.
  • Direct network intrusion through exploitation of open ports on perimeter firewalls.
  • A vulnerability in the device’s operating system or installed applications – Take, for example, an old, outdated, or misconfigured Flash plugin on a user’s browser. Compromised websites can be designed to scan a user’s device for such a vulnerability as soon as an individual lands on that page. The malware on said page identifies what vulnerabilities can be leveraged and then delivers specific malware code to exploit the found vulnerability.

Low Barriers to Entry

Up until a few years ago, a cybercriminal needed to have a decent understanding of software engineering, security, and networking to launch a malware attack. But an entire ecosystem has developed that enables malicious actors to build, deploy, and monetize malware. In fact, malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) are readily available, relatively cheap to purchase and download, and openly advertised.3

Types of Malware

Spyware: Tracks browsing activities and gathers information about a person or organization. Covertly sends this information to another entity for further malicious use or asserts control over a device, unbeknownst to the user.

Keylogger: Records keystrokes made by a user to extract usernames, passwords, and other sensitive information. This information is often used by cybercriminals for further malicious activity.

Trojan: Disguised as legitimate software to spy on or gain access to the user’s system to steal, delete, block, or modify data, as well as to disrupt device or network performance. There are many types of Trojans, including a backdoor Trojan that gives cybercriminals complete remote control of an infected device, a Trojan-DDoS that incorporates a device into a botnet then used to launch denial-of-service attacks, and an email Trojan that allows a device to be used to launch spam email attacks.4

Worm: Replicates itself from one device, drive, or network to another through network connections. Worms spread automatically, unassisted by human initiation, and self-replicate, consuming bandwidth and overloading web servers.5

Rootkit: Designed to take remote administrative control of a device. Once installed, the malicious actors behind the rootkit can track everything done on the device, run files, install programs and additional malware, and modify software — including anti-virus programs. Rootkits are notoriously difficult to detect and remove.6

Ransomware: Encrypts the files on a user’s device or a network’s storage devices. To restore access to the encrypted files, the user must pay a “ransom” to cybercriminals, typically through a tough-to-trace electronic payment method such as Bitcoin.

Cryptojacking: Uses a compromised device to mine cryptocurrency without the device owner’s knowledge or consent. The compromise is executed through either a malicious link in a phishing email that installs crypto mining malware or a website or online advertisement infected with malicious JavaScript code that automatically executes when the user visits the site. The malicious crypto mining code operates silently in the background, and the only indication of its presence is that users may experience slower than normal device performance.

Reducing the Risk of Malware Impacting Your Business

Educate the weakest link. The vast majority of malware requires someone to take action to activate the payload. Educating employees about how to recognize and defend against cyber attacks is vital. Many attacks will use email and social engineering techniques to trick the employee into downloading malware or divulging their username and password. As such, training should focus on these common attack vectors. Exercises where employees are sent faux “phishing” emails are effective in coaching users to distinguish between a genuine supplier communication and a phishing email with the subject line "Invoice Attached - please open."

Patch, patch, patch. Then patch again. As demonstrated by the 2018 Spectre and Meltdown kernel-memory vulnerabilities, as well as the Drupal CMS vulnerability, failing to implement a rigorous approach to patching known security vulnerabilities can leave an enterprise exposed. Even months after the Drupal vulnerability was reported, over 115,000 servers were still running an outdated version of the platform.7 It’s relatively simple for cybercriminals to identify unpatched devices and software on an enterprise’s network, and once identified, to take advantage of known vulnerabilities.

Months after the vulnerability was made public, over 115,000 servers remained unpatched and exposed to attacks.

Back up your data, and back up your backup. To some, this may sound obvious, but malware can encrypt backups stored on network servers. As a result, enterprises need to review their current approach to backups. Are employees backing up important files to a network drive? Are the backups from these devices and the file servers then backed up to a cloud backup service? Are you testing that the backups can be restored? That way, if malware encrypts all local files and backups, an enterprise can still restore them quickly with minimal impact to the business.

Relying on a single layer of security against this evolving barrage is not best practice.

Make it harder for the bad guys — have multiple layers of defense. Cybercriminals spend huge amounts of time and money developing ever-more sophisticated forms of advanced malware that are designed to bypass a company’s security defenses. Relying on a single layer of security against this evolving barrage is not best practice. Utilizing multiple security layers means that if one layer does not block an attack, you have additional overlays that can mitigate the threat. So, what layers of security defense does your company currently have in place? Do you have different security solutions to help mitigate risk during all stages of an attack? Are there current gaps in your security that malicious actors can exploit?


1https://usa.kaspersky.com/resource-center/threats/who-creates-malware
2https://www.av-test.org/en/statistics/malware/
3https://www.information-age.com/global-cybercrime-economy-generates-over-1-5tn-according-to-new-study-123471631/
4https://usa.kaspersky.com/resource-center/threats/trojans
5https://www.veracode.com/security/computer-worm
6https://heimdalsecurity.com/blog/rootkit/
7https://www.bleepingcomputer.com/news/security/two-months-later-over-115-000-drupal-sites-still-vulnerable-to-drupalgeddon-2/
8https://securelist.com/kaspersky-security-bulletin-2018-statistics/89145/
9https://www.ibm.com/security/data-breach
10https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
11https://hostingfacts.com/internet-facts-stats/
12 https://www.wired.com/story/worst-hacks-2018-facebook-marriott-quora/
13 https://app47.com/2018/04/13/2018-internet-security-threat-report-shows-mobile-malware-on-the-rise/
14 https://www.safetydetective.com/blog/antivirus-statistics/
15 https://www.sophos.com/en-us/press-office/press-releases/2018/01/businesses-impacted-by-repeated-ransomware-attacks-according-to-sophos-global-survey.aspx
16 https://dataconomy.com/2018/03/12-scenarios-of-data-breaches/